🏠 Home
SPF vs DKIM vs DMARC

SPF vs DKIM vs DMARC: Email Authentication Complete Guide

Email spoofing and phishing cost billions annually. SPF, DKIM, and DMARC are the three DNS-based standards that, together, form the strongest defense available to domain owners.

📅 Published June 2026· ⏳ 15 min read· ✍️ ToolsNovaHub Editorial Team
SPF, DKIM, and DMARC are three complementary email authentication standards that work together to prevent email spoofing and phishing. None alone is sufficient — understanding how they differ and interact is essential for anyone managing email infrastructure.

The Email Authentication Trinity

StandardWhat It AuthenticatesHowDNS Record Type
SPFSending server IP authorized?Allowlist of IPs/ranges in DNSTXT (_domainname)
DKIMMessage content unaltered?Cryptographic signature in headerTXT (selector._domainkey)
DMARCBoth SPF and DKIM align?Policy enforcement + reportingTXT (_dmarc)

SPF (Sender Policy Framework)

SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. The receiving mail server checks whether the sending server's IP address matches the authorized IPs listed in the domain's SPF TXT record.

An SPF record looks like: v=spf1 include:_spf.google.com include:mailgun.org ip4:203.0.113.5 ~all

The mechanisms: include: delegates to another domain's SPF; ip4:/ip6: specifies explicit IPs; a: includes the domain's A record IP; mx: includes MX server IPs. The qualifier at the end (-all = hard fail, ~all = soft fail, ?all = neutral) determines what happens to mail from unlisted sources.

SPF limitation: SPF only checks the envelope "From" (MAIL FROM / Return-Path), not the visible "From" header that users see. Email forwarders break SPF because the forwarding server's IP wasn't in the original sender's SPF record.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing email headers. The sending mail server signs the message with a private key; the receiving server retrieves the corresponding public key from DNS and verifies the signature. This proves the message came from an authorized sender and wasn't altered in transit.

A DKIM signature in email headers: DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=mail; ...

The DNS record for DKIM: mail._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."

DKIM advantages over SPF: DKIM survives email forwarding (the signature travels with the message); it authenticates message content integrity not just server IP; it works with the header "From" domain. DKIM limitation: DKIM alone doesn't prevent display name spoofing or domain impersonation visible to users without DMARC enforcement.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by adding policy enforcement and reporting. It requires that at least one of SPF or DKIM not only passes but also "aligns" — meaning the authenticated domain matches the visible "From" header domain that recipients see.

A DMARC record: _dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensic@example.com; pct=100"

DMARC policies: p=none (monitor only, no action); p=quarantine (send to spam if fails); p=reject (reject emails that fail). The rua tag specifies where aggregate reports are sent; ruf for forensic reports of individual failures.

Reporting: DMARC's reporting mechanism is unique — receiving mail servers send XML aggregate reports back to the sender, listing all mail they processed claiming to be from your domain, with pass/fail results for SPF and DKIM. This gives domain owners visibility into who is sending email on their behalf — essential for detecting spoofing and identifying unauthorized senders.

How SPF, DKIM, and DMARC Work Together

1

Email Sent

Your mail server sends an email. It signs the message with your DKIM private key and uses the Return-Path domain matching your SPF record.

2

SPF Check

Receiving server checks: is the sending IP in the SPF record for the envelope sender domain? Pass/Fail/SoftFail/Neutral result recorded.

3

DKIM Check

Receiving server retrieves public key from DNS, verifies DKIM signature. Checks message content hasn't changed and signature is valid.

4

DMARC Alignment Check

DMARC checks: does the SPF-authenticated domain align with the header From? Does the DKIM-signed domain align? If at least one passes alignment, DMARC passes.

5

Policy Applied

Based on DMARC policy (none/quarantine/reject), receiving server decides whether to deliver, flag as spam, or reject the message.

6

Report Sent

Receiving server generates aggregate report data sent to the domain's rua address — showing total volume, pass/fail rates, and sending sources.

Checking SPF, DKIM, and DMARC Records

Use our DNS Lookup tool to inspect all three records for any domain:

  • SPF: Query TXT records for the domain root (e.g., example.com). Look for a record starting with v=spf1.
  • DKIM: Query TXT records for selector._domainkey.example.com — you need to know the selector name (often "mail", "google", "smtp", or found in email headers).
  • DMARC: Query TXT records for _dmarc.example.com. The full record shows policy, reporting addresses, and alignment mode.

Our Email Checker tool also validates SPF and DMARC status for any domain automatically.

FAQs: SPF vs DKIM vs DMARC

Do I need all three — SPF, DKIM, and DMARC? +
For maximum email security and deliverability, yes. SPF alone is bypassed by display-name spoofing. DKIM alone provides no policy enforcement. DMARC requires at least SPF or DKIM to be in place and adds the critical alignment check and policy layer. Google and Yahoo now require SPF, DKIM, and DMARC for bulk senders.
Why does email forwarding break SPF? +
When a mail server forwards your email to another address, it sends the message from its own IP but keeps your domain in the Return-Path. The receiving server checks SPF for your domain but sees the forwarder's IP — which isn't in your SPF record, causing SPF to fail. DKIM survives forwarding because the signature is part of the message itself. This is why DMARC should use "relaxed" SPF alignment (default) or rely primarily on DKIM for forwarded mail.
What is the safe order to implement these? +
Start with SPF and DKIM — implement both, then verify they pass for all your legitimate mail streams. Then add DMARC at p=none to collect reports without affecting delivery. Analyze reports for 2–4 weeks to identify any missed sending sources. Then escalate to p=quarantine, monitor, and finally p=reject when confident all legitimate mail passes.
Can SPF have too many DNS lookups? +
Yes — SPF specifies a maximum of 10 DNS lookups during evaluation. Each include:, a:, mx:, and ptr: mechanism costs one lookup. Exceeding this limit causes a "PermError" which many receivers treat as SPF fail. Use flattened SPF records (listing IPs directly rather than include: chains) or SPF flattening tools to stay within the limit.
What does DMARC p=reject actually do? +
With p=reject, receiving mail servers are instructed to reject (not deliver, not spam-folder) any email claiming to be from your domain that fails DMARC alignment. This is the strongest protection against spoofing — attackers can't send convincing phishing emails using your domain because they'll be rejected before reaching inboxes. The risk: any legitimate email stream you haven't configured properly will also be rejected.
Explore All ToolsNovaHub Tools
🏠 Go to Homepage

🔗 More Guides

✓ Copied!